The main goal of laboratory report is to identify the responsibilities for the IP addresses
below and how we can make connection to them. IP addresses are randomly chosen by
External IP that is used for purpose of this test is following: 188.8.131.52/255 1. The ISP that provides this network is EENet2. Organization that is behind is Tallinn Technical University, Estonia. City location is Tallinn and the region is Harjumaa. The phone number of my ISP is: +372 73*****. The e-mail we should report abuse are: first persons that is in charge: Viktor Borisevitch (e-mail: **tor at cc.ttu.ee and phone number: +372-2-****46) and Andres Lepp (e-mail: l*** at cc.ttu.ee and phone number: +372 6 *****55). In addition, if we wont to submit an abuse we should use both persons of network administration and then we can submit and security incident on the following ISP e-mail: firstname.lastname@example.org [RIPE NCC].
All in all, Method 1 and Appendix 1 describes the website, tools and application that
are used to conduct this laboratory report. In addition, Method 2 and Appendix 2 will
introduce website tools and databases where we can check if following IP’s have been
reported before as abuse and security risk. Both methods are represented with answer
and consequences confront in the result section.
Finally the conclusion made of all collected data will be concise in conclusion section of this report.
First method describes and demonstrates web tools that have been used to collect the needed information from the stated IP’s addresses. Second method is pointing out website tools and databases that can be applied if the IP has been reported previously as a abuse, spam or security threat.
Firstly, we need to collect as much as we can details about the IP address. In Appendix 1
is showing the wholly information of the IP’s, contact details, organization name, address,
location, state, country, technicians contact, abuse phone number, abuse e-mail, etc.
Depending on the location of IP we should make sure that not only we know the ISP
or abuse contact details, but we should know national CERT 3 agency that is in charge too.
Therefore, to collect the information we have used different web sites, agencies: [RIPE
NCC][LACNIC][AfriNIC][APNIC][ARIN]. The above reference are agencies collected from
IANA4. Authority responsible for global coordination of the Internet Protocol addressing
Moreover, to have more details about the route of the IP’s we are using command
prompt in Windows 7 with the following command, where the results are presented in
Appendix 2 section:
To illustrate, the details information are presented in Result 1 section.
After we have collected the wholly information about the concrete IP proposals, we should
check if in addition those IP’s previously have been reported as abused, spam or security
threat. To complete the following method we need to check concrete database system that is offering following service. First that crossed on web is [MalwareURL] which is dedicated to fighting malware, trojans and a multitude of other web-related threats. In addition, we can check if the IP addresses are listed in anti-spam databases. With other words blacklist check [MyIPAddress].
Results from Method 1 are presented in Result 1, further Method 2 is presented in Result
For each IP are presented only the most important data details that we need to collect for
our goal. In addition, full description and details are presented in Appendix 1. The tables
bellow are illustrating the most important information that we should look-for. In addition,
the highlighted lines are indicating the abuse e-mail box that should be send mail too.
OrgName: New Dream Network, LLC
Address: 417 Associated Rd.
Address: PMB #257
#technician in charge
OrgTechName: Nagel, Mark
OrgTechEmail: mna47-arin at dreamhost.com
#abuse in charge
OrgAbuseName: DreamHost Abuse Team
OrgAbuseEmail: abuse at dreamhost.com
person: Chris Burns
address: Building 4
address: City West Office Park
address: Gelderd Road
address: Leeds LS12 6LX
abuse-mailbox: abuse at laveconetworks.co.uk
role: Mannesmann Arcor Network Operation Center
address: Arcor AG & Co. KG
address: Department TBS
address: Otto-Volger-Str. 19
address: D-65843 Sulzbach/Ts.
phone: +49 6196 523 0864
abuse-mailbox: abuse at arcor-ip.de
However, now that we know the abuse e-mail, phone number and contact person
details, still is this information enough for us. If we look in details all of the IP’s are from different countries. Therefore we need to find what is the national CERT agency contact details. First table is based in USA, therefore we need to use their reporting system, which is locate in the following link: http://www.us-cert.gov/ . Second table is UK, the national CERT agency link: www.ukcert.org.uk. Third table is based in Germany, the CERT agency link: http://www.cert-verbund.de/.
From the routing trace we can conclude that the first IP and the third respond and it
did not miss route trace, where in the second IP, 184.108.40.206 there is miss route trace.
That is why we will run this IP address to Method 2. Despite the fact, still we will run the
rest of IP’s in the Method 2, to be trusted that are not in the abuse list.
Next step is to attempt to search the IP address to check if they have been previously
report as a abuse, trojan, malware, security threat, etc.
To check and verify the security status we are using the service available
[MalwareURL]. Where results for 220.127.116.11 and 18.104.22.168 are with status that
have not been previously reported as abuse. On the other hand, 22.214.171.124 IP address is detected as an security threat before. More details are presented in Appendix 3. Where is demonstrating that the /404.php?type=stats&affid=531&subid=03&iruns has been reported as malicious URL and it is in a blacklist of Google, MyWOT, etc.
Not only that it is listed in the malware database list, but also if we double check on
service [MyIPAddress] that the 126.96.36.199 IP address is listed in few blacklist which is
assess by DNSBL5.
In conclusion, I would like to reiterate that the concrete IP’s that we analysis in this report
are demonstrating the process and methods that should be done in future to detect, report
abuse, malware, threat, trojan, security risk, etc. Where we should gather the detail
information, and to whom to turn the abuse. To be precise that are not in blacklist, spam
In spite of following IP’s: 188.8.131.52 and 184.108.40.206, from performing
methods and delivering results are safe and secure, still think can be exploited in easy
manners. The opposite, IP address 220.127.116.11 it has been already report infected as
malicious code from few blacklist providers. When checking the DNS, host name is linking to UK company that deals with IP Transit. For further information please check the
following link: http://www.laveconetworks.co.uk/.
In general, hope that laboratory report and the analyse will help to anyone else to
guide them for future use.
Appendix 1 is list of details collected from service. Appendix 2 is trace route details. Where Appendix 3 is the result collected from the black list database.
Because of large content please download [PDF]
RIPE NCC: RIPE NCC, Data & Tools, 2011, https://www.ripe.net/data-tools
LACNIC: Internet Address Registry for Latin America and the Caribbean, REGISTRATION SERVICES , , http://lacnic.net/cgi-bin/lacnic/whois?lg=EN
AfriNIC: AfriNIC LTD, Query the AfriNIC Whois Database, 2011, http://www.afrinic.net/cgi-bin/whois
APNIC: APNIC, APNIC – Query the APNIC Whois Database, 2011, http://wq.apnic.net/apnic-bin/whois.pl
ARIN: ARIN, WHOIS-RWS, 2011, http://whois.arin.net
IANA: IANA, Number Resources, 2011, http://www.iana.org/numbers/
MalwareURL: The MalwareURL Team, The MalwareURL Team, 2011,
MyIPAddress: What Is My IP Address, Blacklist Check, 2011,
1 I will not show my own IP address
2 EENet – http://www.eenet.ee/EENet/
3 CERT – Computer Emergency Response Team
4 IANA – Internet Assigned Numbers Authority – http://www.iana.org/
5 DNSBL – Domain Name System Blacklist
* Changed on purpose, to disclose the exposure